Presented by Mark Minasi [email protected] Free newsletter at www.minasi.com Contents copyright 2009 Mark Minasi Slide 2
Download ReportTranscript Presented by Mark Minasi [email protected] Free newsletter at www.minasi.com Contents copyright 2009 Mark Minasi Slide 2
Presented by Mark Minasi [email protected] Free newsletter at www.minasi.com Contents copyright 2009 Mark Minasi Slide 2 About Mark Programmed large-scale economic simulation models in late 70s and early 80s Over a thousand columns since 1986 in BYTE, Compute!, OS/2 Magazine, OS/2 Professional, InfoWorld, ComputerWorld, AI Expert, Windows IT Pro Teaches, writes, consults on PCs & networking full time since 1984 Teach in 22 countries Security consulting since 2001 Directory Services MVP Voted "Favorite Technical Author" four times out of four at CertCities.com 28 books, many bestsellers… About Mark 28 books, including… How many of you do security at your company? Slide 5 How many of you ASKED to do security at your company? Slide 6 What's This Talk All About? Review the fundamentals, but with a 2009 perspective Most of us are better at the basics than in 1999 A chance to help you in the ongoing battle to convince our users that security matters We've got to crack the carbon constraint If you've made the choice to use Win 6 or 7, I want you to know where to go to get the most out of that investment security-wise Slide 7 Why Security Still Matters Protecting company assets, of course In the past decade, though, we've had a new dynamic in the form not just of security, but of Internet security As I'm sure most of you already know, the nature of the bad guys has made a 180 degree turn in the past six years … or, in other words, since Server 2003 and XP shipped Slide 8 Twelve Tips You are a risk manager Write a security policy Passwords Authenticate right Stomp Administrator Auditing and logs Nail the services… or the developers Physical security Have A DR Plan Upgrade the carbon units Stay informed Patch! Slide 9 Slide 10 It Is Simply Not Possible To Secure Your Network … at least, it's not possible to secure it 100 percent We accept and absorb risks all the time Slide 11 Security Has A Price IT’s job versus security’s job Many “hardening” techniques will cause software to break Slide 12 Write a Security Policy one on paper, that is We’re talking here about protecting the organization from destruction, so… This only works if management’s on board Must have a written security policy Must have a few items that, well, could cause termination If not, then relax!; you’re going to get hacked, probably by an insider, but there’s nothing you can do about it, so don’t work late Good sample policies at http://www.sans.org/resources/policies/ Slide 13 “Bad passwords always beat good security” Slide 14 Passwords – the stakes Passwords are it for most of us in terms of identifying ourselves to the network Bad guys just need one account, not all of them Passwords are a carbon-based issue, not a silicon-based issue Slide 15 Passwords – the modern facts Passwords are attacked in several ways Shoulder surfing Post-Its They’re yelled across a room Someone steals your password “hashes” and cracks them Someone tries repeatedly to log on with different passwords Note that only the last two are technological Slide 16 A Bit of Technicals on Passwords Computers don't store your password; they convert it to a 128 bit "hash" and store that "Open Sesame" One of many mathematical processes called a "hash function" 0F725ACD85C6390EE6F218C7D382C552 This is essentially your real password – if bad guys get it, they can (1) attempt to reverse it to get your password (difficult) or just directly use the hash to impersonate you (easy) How Bad Guys Get Your Hash Physical access to your system Guessing it But that means trying 2128 possibilities, which is still computationally unlikely – at a million/second, it'd take 1025 years, and even Moore's Law won't crack that for a while Guessing it with a hint… now, that might be possible! Hint Sources Structural limitations on passwords The 1980's "LAN Manager" software limited the possible number of hashes so that checking all possible hashes can be done in a few days on a modern system rather than a zillion years… so LM hashes must go Hashes come from human-chosen passwords and humans tend not to create passwords like "6$^^hH-()()()()(7Ghala" Worse yet, many people restrict themselves to personal info or English words This how the bad guys get passwords! Protecting Your Passwords Get your users to create useful, non-trivial passwords Mandate a minimum password length of at least 8 characters, consider 12… 7 or under is bad under all circumstances for several reasons Avoid complex passwords Train users to avoid simple English words Get rid of LM now. Really… now. Group policies will do it Most systems will not have a compatibility problem, but check NASes and network-attached printers More info in my June 2003 newsletter for more info on my site www.minasi.com Slide 20 Win 6/7 and LM After telling us to rid our networks of LMrelated stuff for ten years, Microsoft took a big step… … Vista, Server 2008, Win 7 and Server 2008 R2 have no support for LAN Man hashes or authentication at all You couldn't create an LM hash with Vista if you wanted to! The Dumbest Passwords I've got to stress this… In the early 21st Century, these kind of passwords can be almost always cracked in under three minutes: A name associated with you or your organization A date associated with you or your organization A dictionary word BTW, just adding a number or a capital adds no more than a few minutes to the time People with these passwords must, sadly, be sterilized Slide 22 12 Characters? Are You Crazy? I advocate 12 character minimum password length… more length makes up for a "no complexity" requirement Only requires a bit of user education on the "passphrase" (November 2004 newsletter) 12 lowercase letters = 95,428,956,661,682,176 possibilities Try a million a second, it’ll take 300 centuries Slide 23 What, Too Hard? Then try for eight-character passwords, and require them to be at least two words Audit them against English words; the best tools are no longer available, but Cain & Abel can do some of it (But never "audit" a user's password unless he/she acknowledges it through the writtendown security policy) Slide 24 The Ultimate Password Remember why English word passwords are childishly simple to crack? They weren't 12 years ago As Moore's Law strides on, one day any eightcharacter password, no matter how obscure, will be crackable in an hour or so And then what do we do? Answer: PKI… so put that on your "things to figure out in the next couple of years" list Why They Matter When you log on, your system decides underthe-hood how to authenticate with a domain controller – either LM NTLM NTLM v2 Kerberos Even in an AD world, the top three get used… and you really want to avoid that Use a Protocol That Protects Hashes NTLMV2 is pretty secure… but by default Windows falls back to LM & NTLM, not NTLMv2 You can change this in your domain group policy (brand-new 2008/R2 domains don't need this) Tell your system to only fall back to NTLMv2 More details in my Kerberos talk tomorrow at 8:30 here, SIA 401 "Cracking Open Kerberos" Slide 28 Slide 29 Creating Good Admin Passwords without having to stress the users Having someone crack one of our (administrator) passwords would be bad One answer: set up different password policies for members of the Domain Administrators group from the policy for non-admins Possible in 2008 and 2008 R2 with "password settings objects" Needs 2008 DFL, good tool to utilize it at www.joeware.net Slide 30 Stomping Administrator the account, that is Local “Administrator” account is unaccountable There's no real need for it in most organizations In Win 6/7, disable it… there's a group policy to do it Prohibit insiders from using it also This is one of those "do this and get fired…" things you might find in a security policy Slide 31 Stomping Administrator Randomize the admin password net user administrator /domain /random>nul It doesn’t hurt to rename the account in any case If using 2003 or 2008, you can create a smart card for the Administrator account force the Administrator account to only be able to log on with the card – ctrl-alt-del won’t work lock up the card and disperse the PIN Slide 32 Don’t Spend All Day As Admin Tempting to be logged in all day as an administrator Workaround: runas command, although truthfully it's a pain Works best when shift-right-clicking a menu item But there's a better way… Slide 33 What About UAC? In a sense, it's a "reverse Run As" You log in as an administrator, but automatically get two identities, and a reminder whenever you use the powerful one People find it annoying… but I really recommend that you keep it in place In silent mode, it essentially automates the "two account switch" trick Slide 34 What About UAC? I know, you think you hate it, but… Once you understand and configure UAC, it can be very useful, so give it a second look I'm doing an in-depth talk on it Thursday AM here in this room at 8:30 AM and will also cover Windows Integrity Levels Slide 35 Slide 36 Windows Auditing It's been around forever, but isn't always used Why use it? After-the-fact forensics Helpful in compliance situations (HIPAA, SOX) Treat logs policy-wise the way you treat money accounting records Biggest pain is collecting and archiving the Security logs, as there's one on every workstation and server Auditing And Logs what modern Windows offers Fine-tune who you're auditing with auditusr, which first appeared in XP SP2 and 2003 SP1/R2 – see my August 2005 newsletter In Vista and later, it's called "auditpol" and has different syntax Easily centralize logs with Windows 6 and 7's ability to centralize events to a single system – "event log subscriptions" (see chapter 1 of my Vista security book, free download, for examples) Slide 38 Auditing And Logs some fairly big news in Windows auditing in Win 7/R2 More auditable stuff: 9 categories in Vista… … 54 in Windows 7/R2 To see this, look in Group Policies / Windows Settings / Security Settings; the old "Local Policies / Audit Policy" is there, but there's also now an "Advanced Audit Policy Configuration" folder "Global SACL" or "Global object access auditing" completely changes object auditing Use either group policies or auditpol to enable "Reason for access" reporting Slide 39 Securing Services Whenever there's a headline-grabbing security attack, there's a compromised service behind it There have traditionally been three things you can do to reduce services' vulnerabilities Disable the unnecessary ones Minimize the remaining ones' privileges Minimize the remaining ones' permissions XP SP2 started a trend that way, but you may be surprised at what Windows 6 did to shore up services' security Services, Phase One disable unnecessary ones Much less necessary with Vista/2008 Messenger, clipbook, alerter services gone Other services are isolated in a separate Terminal Services session and so cannot interact with the desktop (Only bad part – causes some pre-Vista print drivers to fail) Slide 42 Services, Phase 2 de-fang the services that you leave running Services run not as you, but as some account – probably System, which is all-powerful Thus, any damage that they can do is limited by the permissions on that account Unfortunately that’s usually System Vista/2008 includes a built-in feature that reduces much of System's power Slide 43 Services, Phase 2 finding out if your devs have been lazy The problem is that not every developer exploits it Way to find out: open an elevated command prompt and type sc qprivs servicename If you don't get a list of privileges, that service has not been secured – so yell at the developer! (More info in Chapter 7 of my Vista security book) Slide 44 Services, Phase 3 reducing their power with service isolation "System" has all-encompassing file permissions Vista/2008 take it a step further with "service isolation" Basically it's an isolated service is one whose developer has very finely determined which files/folders/etc a given service, and used a new Vista/2008 feature to explicitly lock it out of everything else Test: "sc qsidtype servicename" – you want to see "SERVICE_SID_TYPE: RESTRICTED" If not… whack the developers! Slide 45 Services: Summary If you've already paid for Windows 6 (Vista / 2008) or are about to pay for Windows 7, then you've already invested in this infrastructure… it's crazy not to use it Use the tips you've seen here to go back and check your third-party apps, your home-grown apps, heck, even the Microsoft stuff The point is that Windows now offers these "air bags" for services – it's up to the developers to use them Physical Security The idea is "if I can touch it, I can hurt it" The top item on many people's security lists… but not always a practical one to accomplish Servers are often protected… … but what about in branch offices? And how can we (realistically) secure workstations – particularly laptops? And beyond workstations, what about the other things that carry copies of our data? Slide 48 Physical Security The problem: Once upon a time, we could lock our data behind locks and walls We still can in some places, and when we can, we must But what about when we can't? (Example: booting XP with a 2K CD) Slide 49 Physical Security using Windows 6 and 7: three technologies Device installation group policies: "no removable devices allowed on this system" BitLocker: encrypts drives, securing laptops branch office servers BitLocker To Go: encrypts removable devices like USB sticks Includes group policies that say, "don't let the user save data onto a USB stick unless the stick's been encrypted" Slide 50 Physical Security and RODCs protecting your Active Directory In branch offices with questionable physical security, consider 2008-based "read only domain controllers" or RODCs By default, RODCs contain copies of the AD… … but no passwords Thus, it's no good if the WAN link's down, but if stolen, it's got nothing we care about Slide 51 Physical Security and RODCs why's it good? RODCs let you "loosen" security a bit You can put as many or as few passwords onto an RODC as you like And if the RODC is stolen, just three clicks resets the passwords and deletes the RODC's domain membership Combine it with Bitlocker and Server Core and you're better protected Caveat: can't act as a GC for Exchange Slide 52 Have A Disaster Plan the problem Every organization needs DR and BC plans "What if we're hacked?" "What if there's a fire?" "What if the water tower on the roof leaks and we have a flood on the top floor, where the servers are?" DR plans can be a pain; here's a few thoughts Slide 54 Have A Plan have simple (but explicit) plans After the attack/disaster, the question’s the same: where are the backups? How do I restore them? How do I rebuild a DHCP server? These should be step by step plans These must be tested beforehand This is not a small job, but it’s necessary and even constitutes training materials for new hires Slide 55 Make DR a Bit Easier w/2008 DR plans are a good idea… but can be so hard to do Answer: some sort of image backup/"bare metal restore" tool Many of the big vendors have them But Windows 6/7 include one: CompletePC backup See my newsletters 64 and 66 for specifics Slide 56 Upgrade the Carbon Units no technology can protect us from attachments Kournikova worked because users didn’t know better and because we “protect” them from extensions The weasels only win when users invite them in Don’t yell, but… user training is the answer Just 15 minutes of basics about mail and attachments goes a long way Slide 57 Stay Informed and Stay Paranoid www.microsoft.com/security for patches etc. www.sans.org www.securityfocus.com the security pages from whatever apps you rely upon Slide 58 Simplify Patching If "physical" is #1 on many lists, this is probably #2 or #3 WSUS, of course But don't forget your other technologies And then there's patching images If, however, you're using the free Windows (6 and 7) deployment tools from Microsoft, patching WIM imaging technology is easier than just about any tech around (and, again, it's free) Slide 59 Thanks! I hope this was useful Contact e-mail: [email protected] Free newsletter and seminar information at www.minasi.com Please join me at 8:30 tomorrow and Thursday for talks on Kerberos and then UAC/WIL This is repeated at 2:45 tomorrow rm 153 Don't forget the evals and enjoy the rest of the show!!! Slide 60